SSH-Tunnels
The idea behind SSH tunnels is to encrypt otherwise unencrypted traffic. You can tunnel any TCP connection through SSH: VNC, POP3, …
Concept
The procedure is very simple: Open an SSH connection to a host and enable portforwarding through it.
Prerequisites
- A server where you can log in using SSH
- A secure shell client (I like PuTTY very much and will describe tunnelling mainly using PuTTY's interface)
- you know how to connect to your server using the secureshell client
The image illustrates what happens: The forwarded connection is protected from client to host. On host, the connection becomes unwrapped and makes its (unencrypted) way to the destination.
This is a good way of manoeuvering through hostile networks: I am using SSH tunnels to connect to databases via internet. Therefore I log in at the remote gateway and forward the connection to the database server.
HOWTO… with PuTTY
You should know a little bit about Secure Shell (at least how to establish normal SSH sessions where you end up using a console). I won't describe that here.
Let's assume, we want to connect to a webserver (destination; listening on port 80) behind a gateway (host). I know, that there is HTTPS but this should just serve as example.
For the sake of this example, host's name is gateway.mydomain.bogus and the destination's name is beeblebrox. Start up putty as normal but before connecting to gateway.mydomain.bogus go to PuTTY's Tunnels option:
You can see, that the local port 8888 is being forwarded to beeblebrox' port 80. That means, any conect to port 8888 on your local computer is actually being sent to beeblebrox' webserver.
You just have to add (klick the ADD-button) this portforwarding and then connect to the server and log in as usual. The tunnel should now be available.
Hints: The name beeblebrox
is resolved at the server you are connecting to (in this case gateway.mydomain.bogus). Otherwise you could never connect to computers with private IP addresses (192.168.1.3, for instance).
The checkbox local ports accept connections from other hosts
indicates, if another computer can connect to your forwarded port (and thus access the tunnel).
If you have a commandline SSH2 client, you can enter ssh -L 8888:beeblebrox:80 gateway.mydomain.bogus to create a tunnel from your client to the gateway and forward the local port 8888 to beeblebrox' port 80.
Now fire up your favourite browser and enter http://localhost:8888/. You should see beeblebrox' webserver answering.
That's it. It is not too hard, once you know how to create the tunnel. And as I mentioned before: You can tunnel any TCP connection through SSH.
Addenda
Remote forwarding
Remote port forwarding from computer A to computer B is the same as if you sat on computer B and did a local forward to computer A. This is only important, if you cannot open an SSH tunnel directly from computer B (for instance you have no SSH client there but a server).
Batch files
PuTTY can also be used from the command line (and thus within scripts) to establish an SSH tunnel. You need to prepare a session:
- Prepare publickey authentication (the server must support it, though). Take a look at the PuTTY documentation about public keys.
- configure the ports you want to forward
- use the prepared private/public key pair with this connection
- save the session
Now you can use plink.exe available from the PuTTY downloadpage to establish the session by its name: plink <sessionname>
DNS pitfall
When I first tried tunnelling I noticed some problems with connections to localhost
on the remote computer. I just could not establish a tunnel. After some hacking around I found, that the name resolution of localhost
didn't work properly on the remote machine. There was no localhost entry in the zone file.
So if you need to connect to localhost, then either edit the zone files — if you are allowed to — or connect to localhost. (note the dot!) or 127.0.0.1.
[